# This strongswan-swanctl test is based on:
# https://www.strongswan.org/testing/testresults/swanctl/rw-psk-ipv4/index.html
# https://github.com/strongswan/strongswan/tree/master/testing/tests/swanctl/rw-psk-ipv4
# The roadwarrior carol sets up a connection to gateway moon. The authentication
# is based on pre-shared keys and IPv4 addresses. Upon the successful
# establishment of the IPsec tunnels, the specified updown script automatically
# inserts iptables-based firewall rules that let pass the tunneled traffic. In
# order to test both tunnel and firewall, carol pings the client alice behind
# the gateway moon.
#     alice                       moon                        carol
#      eth1------vlan_0------eth1        eth2------vlan_1------eth1
# See the NixOS manual for how to run this test:
# https://nixos.org/nixos/manual/index.html#sec-running-nixos-tests-interactively

import ./make-test.nix ({ pkgs, ...} :

  allowESP = "iptables --insert INPUT --protocol ESP --jump ACCEPT";

  # Shared VPN settings:
  vlan0         = "";
  carolIp       = "";
  moonIp        = "";
  version       = 2;
  secret        = "0sFpZAZqEN6Ti9sqt4ZP5EWcqx";
  esp_proposals = [ "aes128gcm128-x25519" ];
  proposals     = [ "aes128-sha256-x25519" ];
in {
  name = "strongswan-swanctl";
  meta.maintainers = with pkgs.stdenv.lib.maintainers; [ basvandijk ];
  nodes = {

    alice = { ... } : {
      virtualisation.vlans = [ 0 ];
      networking = {
        dhcpcd.enable = false;
        defaultGateway = "";

    moon = { config, ...} :
      let strongswan = config.services.strongswan-swanctl.package;
      in {
        virtualisation.vlans = [ 0 1 ];
        networking = {
          dhcpcd.enable = false;
          firewall = {
            allowedUDPPorts = [ 4500 500 ];
            extraCommands = allowESP;
          nat = {
            enable             = true;
            internalIPs        = [ vlan0 ];
            internalInterfaces = [ "eth1" ];
            externalIP         = moonIp;
            externalInterface  = "eth2";
        environment.systemPackages = [ strongswan ];
        services.strongswan-swanctl = {
          enable = true;
          swanctl = {
            connections = {
              "rw" = {
                local_addrs = [ moonIp ];
                local."main" = {
                  auth = "psk";
                remote."main" = {
                  auth = "psk";
                children = {
                  "net" = {
                    local_ts = [ vlan0 ];
                    updown = "${strongswan}/libexec/ipsec/_updown iptables";
                    inherit esp_proposals;
                inherit version;
                inherit proposals;
            secrets = {
              ike."carol" = {
                id."main" = carolIp;
                inherit secret;

    carol = { config, ...} :
      let strongswan = config.services.strongswan-swanctl.package;
      in {
        virtualisation.vlans = [ 1 ];
        networking = {
          dhcpcd.enable = false;
          firewall.extraCommands = allowESP;
        environment.systemPackages = [ strongswan ];
        services.strongswan-swanctl = {
          enable = true;
          swanctl = {
            connections = {
              "home" = {
                local_addrs = [ carolIp ];
                remote_addrs = [ moonIp ];
                local."main" = {
                  auth = "psk";
                  id = carolIp;
                remote."main" = {
                  auth = "psk";
                  id = moonIp;
                children = {
                  "home" = {
                    remote_ts = [ vlan0 ];
                    start_action = "trap";
                    updown = "${strongswan}/libexec/ipsec/_updown iptables";
                    inherit esp_proposals;
                inherit version;
                inherit proposals;
            secrets = {
              ike."moon" = {
                id."main" = moonIp;
                inherit secret;

  testScript = ''
    $carol->waitUntilSucceeds("ping -c 1 alice");